Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    beginner-level question: pfSense versus AV on devices and router

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 2
      2Cor521
      last edited by

      Hello everyone,

      [This is a newbie question.] For our home WiFi network, I have an Asus router with its own onboard AV protection and Bitdefender on our devices [Windows and iOS, and a NAS device with its own AV protection], and I would like to know what additional protection a pfSense appliance such as the Netgate 3100 will provide. This is for a residential network, not a commercial one. I do like the idea of a firewall in front of our home network as an additional layer of security, but before investing the time and $$$ I'd like to understand what it provides over and above these other layers.

      Thanks for your help!
      John

      T 2 2 Replies Last reply Reply Quote 0
      • T
        Tzvia @2Cor521
        last edited by

        @2cor521 I used to have a Zywall router with AV and intrusion detection that I paid for yearly. Issue with that on a router, looking at inbound traffic is, that most everything is HTTPS. Unless the router is doing man in the middle it's not doing very much as the traffic is encrypted. So I stopped paying, then went looking for something else and landed here, asking myself what you are asking now. I ended up with SNORT (intrusion detection) and PFBlocker installed. With those, I can block users from going to known bad sites, and the router checks for updates daily and those lists are chosen by me. Snort watches the LAN, not the WAN, again for activity going OUT which is suspect, and seeing the IP of the device doing it, I can respond to the device on my lan to clean it up if infected or if it needs to have software with known vulnerabilities updated. I can (and do) limit the outgoing ports to known ports for the programs I use and anything attempting to use some other random ports is blocked. I used to run a PROXY in PFSense with man in the middle setup to decrypt the HTTPS but found it too much trouble; PFBLOCKER and SNORT provide what I need with less hassle. PFSense also supports VLANS, which means you can segregate the IOT junk (doorbells, phones, game consoles, TVs...) onto another VLAN if your router supports that, and you can also use VLAN supporting wireless access points. Segmenting that stuff away from the PCs is a smart move. Yes it costs money if you don't have VLAN supporting hardware, but the point is that it can do it if needed. In the end, it's all about how much you are willing to learn and setup.

        Tzvia

        Current build:
        Hunsn/CWWK Pentium Gold 8505, 6x i226v 'micro firewall'
        16 gigs ram
        500gig WD Blue nvme
        Using modded BIOS (enabled CSTATES)
        PFSense 2.72-RELEASE
        Enabled Intel SpeedShift
        Snort
        PFBlockerNG
        LAN and 5 VLANS

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Separating you network into different VLANs for different risk devices is well worth it.

          Anti-virus on a firewall/router is next to useless unless you're full proxying all traffic to/from the internal clients. And there is a strong argument to be made that simply doing that is a security downgrade!
          AV on the firewall is definitely not a substitute to running on the devices. You need access to the hosts at a far deeper level than the firewall ever sees to do a decent job.

          Snort/Suricata can be useful once configured correctly.

          Running pfBlocker to prevent hosts connecting to lists of known malware servers is useful.

          IMO. ๐Ÿ˜‰

          Steve

          noplanN 1 Reply Last reply Reply Quote 0
          • noplanN
            noplan @stephenw10
            last edited by

            @stephenw10 said in beginner-level question: pfSense versus AV on devices and router:

            Anti-virus on a firewall/router is next to useless unless you're full proxying all traffic to/from the internal clients. And there is a strong argument to be made that simply doing that is a security downgrade!

            OH yes soooooo true and by the way
            That's called somehow a full man in the middle attack

            Do it with style... Do VLAN firewall and pfblocker with AV on each client device,
            When someone ask you why you do it this way tell them the guys who can read binary and calculate subnets in their head (aka the wise guys from the 90s) told you todo so ๐Ÿ˜‰๐Ÿคฃ

            1 Reply Last reply Reply Quote 0
            • 2
              2Cor521 @2Cor521
              last edited by

              Thanks for the detailed responses. So would this be correct ...

              • The Netgate firewall appliance would provide the first line of security, the internal segregation and the WiFi router capabilities, and I would no longer use the Asus router;
              • The topology would be [incoming cable] -> [modem] -> [appliance] -> { internal devices };
              • It isn't feasible to keep the router and have the topology [incoming cable] -> [modem] -> [appliance] -> [WiFi router] -> { internal devices } in order to add the firewall protection while retaining the services the router already provides (e.g., user time scheduling).

              Thanks again for your help [and your patience with the new guy ๐Ÿ˜ธ ]

              John

              noplanN 1 Reply Last reply Reply Quote 0
              • noplanN
                noplan @2Cor521
                last edited by noplan

                @2cor521

                looks like something like this
                /me not sure if you're mixin up te term of a wireless Access Point (like a Ubiquiti AcPro) with a
                wireless router like a WRT54G i would go with Access Point

                no you do not want double NAT or router cascade in your network ... more problems and issues
                you will stumble across when u start using the full potential of pfSense

                scheduling per IP
                limiter (up/down) per IP can easy be done by pfsense.

                keep in mind that if you want segregation all your switches must be capable to deal VLAN.

                3fb684e8-17ee-4908-be04-98d92e5db8bb-image.png

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @noplan
                  last edited by

                  @noplan the one thing I would do differently (if you have the ports available) is connect your AP into your vlan capable switch. You can still use an uplink just for those vlans to another interface on pfsense.

                  But doing so allows you to also put wired devices onto those vlans that your using for wireless.

                  With your drawing, and only 1 vlan on that switch - it doesn't even have to support vlans, only your AP would since it looks to be directly connected into a port on pfsense.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.